Re: [FORGED] Re: Incidents involving the CA WoSign

2016-09-20 Thread Peter Gutmann
Peter Bowen writes: >As someone pointed out on Twitter this morning, it seems that the PSC >notification for Startcom UK was filed recently: >https://s3-eu-west-1.amazonaws.com/document-api-images-prod/docs/UdxHYAlFj6U9DNs6VBJdnIDv4IQAWd4YKYomMERO_2o/application-pdf So if I'm

Re: [FORGED] Re: Incidents involving the CA WoSign

2016-09-06 Thread Percy
Yeah, it's almost impossible to distrust all WoSign authority manually from keychain access. WoSign has 28 root certs or intermediate certs signed by other CAs, listed below. (List from https://github.com/chengr28/RevokeChinaCerts/wiki/ReadMe_Online#about-certificates ) Certification Authority of

Re: [FORGED] Re: Incidents involving the CA WoSign

2016-09-06 Thread Peter Gutmann
Nick Lamb writes: >On Tuesday, 6 September 2016 15:11:00 UTC+1, Peter Gutmann wrote: >> Why would a public CA even need cross-certification from other CAs? > >Maybe this question has some subtlety to it that I'm missing? OK, I really meant "that many other CAs". To take

Re: [FORGED] Re: Incidents involving the CA WoSign

2016-09-06 Thread Nick Lamb
On Tuesday, 6 September 2016 15:11:00 UTC+1, Peter Gutmann wrote: > Why would a public CA even need cross-certification from other CAs? Maybe this question has some subtlety to it that I'm missing? Acceptance into root trust stores is slow. Glacial in some cases. Mozilla has a published

Re: [FORGED] Re: Incidents involving the CA WoSign

2016-09-06 Thread Myers, Kenneth (10421)
m <g...@mozilla.org> Cc: Richard Wang <rich...@wosign.com>, "mozilla-dev-security-pol...@lists.mozilla.org" <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: [FORGED] Re: Incidents involving the CA WoSign Message-ID: <1473170991071.38...@

Re: [FORGED] Re: Incidents involving the CA WoSign

2016-09-06 Thread Jakob Bohm
On 06/09/2016 16:10, Peter Gutmann wrote: Peter Bowen writes: In addition to the direct impact, I note that WoSign is the subject of cross- signatures from a number of other CAs that chain back to roots in the Mozilla program (or were in the program). This is incredible,

Re: [FORGED] Re: Incidents involving the CA WoSign

2016-09-06 Thread Rob Stradling
On 06/09/16 15:10, Peter Gutmann wrote: > Why would a public CA even need cross-certification from other CAs? To inherit trust on legacy platforms that don't have an automatic root update mechanism. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online

Re: [FORGED] Re: Incidents involving the CA WoSign

2016-09-06 Thread Peter Gutmann
Peter Bowen writes: >In addition to the direct impact, I note that WoSign is the subject of cross- >signatures from a number of other CAs that chain back to roots in the Mozilla >program (or were in the program). This is incredible, it's like a hydra. Do the BRs say anything

RE: [FORGED] Re: Incidents involving the CA WoSign

2016-09-05 Thread Peter Gutmann
Eddy Nigg writes: >On 09/04/2016 09:20 AM, Peter Gutmann wrote: >> This is great stuff, it's like watching a rerun of Diginotar > >.says the audience on the backbenches gleefully Well, it doesn't exactly paint the best picture of a competently-run CA, same as

Re: [FORGED] Re: Incidents involving the CA WoSign

2016-09-05 Thread Eddy Nigg
On 09/04/2016 09:20 AM, Peter Gutmann wrote: Peter Bowen writes: It was brought to my attention that there is another incident. This is great stuff, it's like watching a rerun of Diginotar .says the audience on the backbenches gleefully but no, what are you

RE: [FORGED] Re: Incidents involving the CA WoSign

2016-09-04 Thread Peter Gutmann
Peter Bowen writes: >It was brought to my attention that there is another incident. This is great stuff, it's like watching a rerun of Diginotar. Definitely the best web soap in the last few weeks... Peter. ___